Search in sources :

Example 1 with X509CertStoreSelector

use of com.github.zhenwei.provider.x509.X509CertStoreSelector in project XobotOS by xamarin.

the class RFC3280CertPathUtilities method processCRLF.

/**
     * Obtain and validate the certification path for the complete CRL issuer.
     * If a key usage extension is present in the CRL issuer's certificate,
     * verify that the cRLSign bit is set.
     *
     * @param crl                CRL which contains revocation information for the certificate
     *                           <code>cert</code>.
     * @param cert               The attribute certificate or certificate to check if it is
     *                           revoked.
     * @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
     * @param defaultCRLSignKey  The public key of the issuer certificate
     *                           <code>defaultCRLSignCert</code>.
     * @param paramsPKIX         paramsPKIX PKIX parameters.
     * @param certPathCerts      The certificates on the certification path.
     * @return A <code>Set</code> with all keys of possible CRL issuer
     *         certificates.
     * @throws AnnotatedException if the CRL is not valid or the status cannot be checked or
     *                            some error occurs.
     */
protected static Set processCRLF(X509CRL crl, Object cert, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, ExtendedPKIXParameters paramsPKIX, List certPathCerts) throws AnnotatedException {
    // (f)
    // get issuer from CRL
    X509CertStoreSelector selector = new X509CertStoreSelector();
    try {
        byte[] issuerPrincipal = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded();
        selector.setSubject(issuerPrincipal);
    } catch (IOException e) {
        throw new AnnotatedException("Subject criteria for certificate selector to find issuer certificate for CRL could not be set.", e);
    }
    // get CRL signing certs
    Collection coll;
    try {
        coll = CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getStores());
        coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getAdditionalStores()));
        coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getCertStores()));
    } catch (AnnotatedException e) {
        throw new AnnotatedException("Issuer certificate for CRL cannot be searched.", e);
    }
    coll.add(defaultCRLSignCert);
    Iterator cert_it = coll.iterator();
    List validCerts = new ArrayList();
    List validKeys = new ArrayList();
    while (cert_it.hasNext()) {
        X509Certificate signingCert = (X509Certificate) cert_it.next();
        /*
             * CA of the certificate, for which this CRL is checked, has also
             * signed CRL, so skip the path validation, because is already done
             */
        if (signingCert.equals(defaultCRLSignCert)) {
            validCerts.add(signingCert);
            validKeys.add(defaultCRLSignKey);
            continue;
        }
        try {
            CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
            selector = new X509CertStoreSelector();
            selector.setCertificate(signingCert);
            ExtendedPKIXParameters temp = (ExtendedPKIXParameters) paramsPKIX.clone();
            temp.setTargetCertConstraints(selector);
            ExtendedPKIXBuilderParameters params = (ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters.getInstance(temp);
            /*
                 * if signingCert is placed not higher on the cert path a
                 * dependency loop results. CRL for cert is checked, but
                 * signingCert is needed for checking the CRL which is dependent
                 * on checking cert because it is higher in the cert path and so
                 * signing signingCert transitively. so, revocation is disabled,
                 * forgery attacks of the CRL are detected in this outer loop
                 * for all other it must be enabled to prevent forgery attacks
                 */
            if (certPathCerts.contains(signingCert)) {
                params.setRevocationEnabled(false);
            } else {
                params.setRevocationEnabled(true);
            }
            List certs = builder.build(params).getCertPath().getCertificates();
            validCerts.add(signingCert);
            validKeys.add(CertPathValidatorUtilities.getNextWorkingKey(certs, 0));
        } catch (CertPathBuilderException e) {
            throw new AnnotatedException("Internal error.", e);
        } catch (CertPathValidatorException e) {
            throw new AnnotatedException("Public key of issuer certificate of CRL could not be retrieved.", e);
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage());
        }
    }
    Set checkKeys = new HashSet();
    AnnotatedException lastException = null;
    for (int i = 0; i < validCerts.size(); i++) {
        X509Certificate signCert = (X509Certificate) validCerts.get(i);
        boolean[] keyusage = signCert.getKeyUsage();
        if (keyusage != null && (keyusage.length < 7 || !keyusage[CRL_SIGN])) {
            lastException = new AnnotatedException("Issuer certificate key usage extension does not permit CRL signing.");
        } else {
            checkKeys.add(validKeys.get(i));
        }
    }
    if (checkKeys.isEmpty() && lastException == null) {
        throw new AnnotatedException("Cannot find a valid issuer certificate.");
    }
    if (checkKeys.isEmpty() && lastException != null) {
        throw lastException;
    }
    return checkKeys;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) ExtendedPKIXBuilderParameters(org.bouncycastle.x509.ExtendedPKIXBuilderParameters) X509CertStoreSelector(org.bouncycastle.x509.X509CertStoreSelector) ArrayList(java.util.ArrayList) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) ExtendedPKIXParameters(org.bouncycastle.x509.ExtendedPKIXParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) Iterator(java.util.Iterator) Collection(java.util.Collection) List(java.util.List) ArrayList(java.util.ArrayList) CertPathBuilder(java.security.cert.CertPathBuilder) HashSet(java.util.HashSet)

Example 2 with X509CertStoreSelector

use of com.github.zhenwei.provider.x509.X509CertStoreSelector in project robovm by robovm.

the class RFC3280CertPathUtilities method processCRLF.

/**
     * Obtain and validate the certification path for the complete CRL issuer.
     * If a key usage extension is present in the CRL issuer's certificate,
     * verify that the cRLSign bit is set.
     *
     * @param crl                CRL which contains revocation information for the certificate
     *                           <code>cert</code>.
     * @param cert               The attribute certificate or certificate to check if it is
     *                           revoked.
     * @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
     * @param defaultCRLSignKey  The public key of the issuer certificate
     *                           <code>defaultCRLSignCert</code>.
     * @param paramsPKIX         paramsPKIX PKIX parameters.
     * @param certPathCerts      The certificates on the certification path.
     * @return A <code>Set</code> with all keys of possible CRL issuer
     *         certificates.
     * @throws AnnotatedException if the CRL is not valid or the status cannot be checked or
     *                            some error occurs.
     */
protected static Set processCRLF(X509CRL crl, Object cert, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, ExtendedPKIXParameters paramsPKIX, List certPathCerts) throws AnnotatedException {
    // (f)
    // get issuer from CRL
    X509CertStoreSelector selector = new X509CertStoreSelector();
    try {
        byte[] issuerPrincipal = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded();
        selector.setSubject(issuerPrincipal);
    } catch (IOException e) {
        throw new AnnotatedException("Subject criteria for certificate selector to find issuer certificate for CRL could not be set.", e);
    }
    // get CRL signing certs
    Collection coll;
    try {
        coll = CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getStores());
        coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getAdditionalStores()));
        coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getCertStores()));
    } catch (AnnotatedException e) {
        throw new AnnotatedException("Issuer certificate for CRL cannot be searched.", e);
    }
    coll.add(defaultCRLSignCert);
    Iterator cert_it = coll.iterator();
    List validCerts = new ArrayList();
    List validKeys = new ArrayList();
    while (cert_it.hasNext()) {
        X509Certificate signingCert = (X509Certificate) cert_it.next();
        /*
             * CA of the certificate, for which this CRL is checked, has also
             * signed CRL, so skip the path validation, because is already done
             */
        if (signingCert.equals(defaultCRLSignCert)) {
            validCerts.add(signingCert);
            validKeys.add(defaultCRLSignKey);
            continue;
        }
        try {
            CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
            selector = new X509CertStoreSelector();
            selector.setCertificate(signingCert);
            ExtendedPKIXParameters temp = (ExtendedPKIXParameters) paramsPKIX.clone();
            temp.setTargetCertConstraints(selector);
            ExtendedPKIXBuilderParameters params = (ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters.getInstance(temp);
            /*
                 * if signingCert is placed not higher on the cert path a
                 * dependency loop results. CRL for cert is checked, but
                 * signingCert is needed for checking the CRL which is dependent
                 * on checking cert because it is higher in the cert path and so
                 * signing signingCert transitively. so, revocation is disabled,
                 * forgery attacks of the CRL are detected in this outer loop
                 * for all other it must be enabled to prevent forgery attacks
                 */
            if (certPathCerts.contains(signingCert)) {
                params.setRevocationEnabled(false);
            } else {
                params.setRevocationEnabled(true);
            }
            List certs = builder.build(params).getCertPath().getCertificates();
            validCerts.add(signingCert);
            validKeys.add(CertPathValidatorUtilities.getNextWorkingKey(certs, 0));
        } catch (CertPathBuilderException e) {
            throw new AnnotatedException("Internal error.", e);
        } catch (CertPathValidatorException e) {
            throw new AnnotatedException("Public key of issuer certificate of CRL could not be retrieved.", e);
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage());
        }
    }
    Set checkKeys = new HashSet();
    AnnotatedException lastException = null;
    for (int i = 0; i < validCerts.size(); i++) {
        X509Certificate signCert = (X509Certificate) validCerts.get(i);
        boolean[] keyusage = signCert.getKeyUsage();
        if (keyusage != null && (keyusage.length < 7 || !keyusage[CRL_SIGN])) {
            lastException = new AnnotatedException("Issuer certificate key usage extension does not permit CRL signing.");
        } else {
            checkKeys.add(validKeys.get(i));
        }
    }
    if (checkKeys.isEmpty() && lastException == null) {
        throw new AnnotatedException("Cannot find a valid issuer certificate.");
    }
    if (checkKeys.isEmpty() && lastException != null) {
        throw lastException;
    }
    return checkKeys;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) ExtendedPKIXBuilderParameters(org.bouncycastle.x509.ExtendedPKIXBuilderParameters) X509CertStoreSelector(org.bouncycastle.x509.X509CertStoreSelector) ArrayList(java.util.ArrayList) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) ExtendedPKIXParameters(org.bouncycastle.x509.ExtendedPKIXParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) Iterator(java.util.Iterator) Collection(java.util.Collection) List(java.util.List) ArrayList(java.util.ArrayList) CertPathBuilder(java.security.cert.CertPathBuilder) HashSet(java.util.HashSet)

Example 3 with X509CertStoreSelector

use of com.github.zhenwei.provider.x509.X509CertStoreSelector in project robovm by robovm.

the class CertPathValidatorUtilities method findIssuerCerts.

/**
     * Find the issuer certificates of a given certificate.
     *
     * @param cert       The certificate for which an issuer should be found.
     * @param pkixParams
     * @return A <code>Collection</code> object containing the issuer
     *         <code>X509Certificate</code>s. Never <code>null</code>.
     * @throws AnnotatedException if an error occurs.
     */
protected static Collection findIssuerCerts(X509Certificate cert, ExtendedPKIXBuilderParameters pkixParams) throws AnnotatedException {
    X509CertStoreSelector certSelect = new X509CertStoreSelector();
    Set certs = new HashSet();
    try {
        certSelect.setSubject(cert.getIssuerX500Principal().getEncoded());
    } catch (IOException ex) {
        throw new AnnotatedException("Subject criteria for certificate selector to find issuer certificate could not be set.", ex);
    }
    Iterator iter;
    try {
        List matches = new ArrayList();
        matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getCertStores()));
        matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getStores()));
        matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getAdditionalStores()));
        iter = matches.iterator();
    } catch (AnnotatedException e) {
        throw new AnnotatedException("Issuer certificate cannot be searched.", e);
    }
    X509Certificate issuer = null;
    while (iter.hasNext()) {
        issuer = (X509Certificate) iter.next();
        // issuer cannot be verified because possible DSA inheritance
        // parameters are missing
        certs.add(issuer);
    }
    return certs;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) X509CertStoreSelector(org.bouncycastle.x509.X509CertStoreSelector) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List) ArrayList(java.util.ArrayList) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) HashSet(java.util.HashSet)

Example 4 with X509CertStoreSelector

use of com.github.zhenwei.provider.x509.X509CertStoreSelector in project LinLong-Java by zhenwei1108.

the class RFC3281CertPathUtilities method processAttrCert1.

/**
 * Searches for a holder public key certificate and verifies its certification path.
 *
 * @param attrCert   the attribute certificate.
 * @param pkixParams The PKIX parameters.
 * @return The certificate path of the holder certificate.
 * @throws AnnotatedException if
 *                            <ul>
 *                            <li>no public key certificate can be found although holder
 *                            information is given by an entity name or a base certificate
 *                            ID
 *                            <li>support classes cannot be created
 *                            <li>no certification path for the public key certificate can
 *                            be built
 *                            </ul>
 */
protected static CertPath processAttrCert1(X509AttributeCertificate attrCert, PKIXExtendedParameters pkixParams) throws CertPathValidatorException {
    CertPathBuilderResult result = null;
    // find holder PKCs
    LinkedHashSet holderPKCs = new LinkedHashSet();
    if (attrCert.getHolder().getIssuer() != null) {
        X509CertSelector selector = new X509CertSelector();
        selector.setSerialNumber(attrCert.getHolder().getSerialNumber());
        Principal[] principals = attrCert.getHolder().getIssuer();
        for (int i = 0; i < principals.length; i++) {
            try {
                if (principals[i] instanceof X500Principal) {
                    selector.setIssuer(((X500Principal) principals[i]).getEncoded());
                }
                PKIXCertStoreSelector certSelect = new PKIXCertStoreSelector.Builder(selector).build();
                CertPathValidatorUtilities.findCertificates(holderPKCs, certSelect, pkixParams.getCertStores());
            } catch (AnnotatedException e) {
                throw new ExtCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", e);
            } catch (IOException e) {
                throw new ExtCertPathValidatorException("Unable to encode X500 principal.", e);
            }
        }
        if (holderPKCs.isEmpty()) {
            throw new CertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
        }
    }
    if (attrCert.getHolder().getEntityNames() != null) {
        X509CertStoreSelector selector = new X509CertStoreSelector();
        Principal[] principals = attrCert.getHolder().getEntityNames();
        for (int i = 0; i < principals.length; i++) {
            try {
                if (principals[i] instanceof X500Principal) {
                    selector.setIssuer(((X500Principal) principals[i]).getEncoded());
                }
                PKIXCertStoreSelector certSelect = new PKIXCertStoreSelector.Builder(selector).build();
                CertPathValidatorUtilities.findCertificates(holderPKCs, certSelect, pkixParams.getCertStores());
            } catch (AnnotatedException e) {
                throw new ExtCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", e);
            } catch (IOException e) {
                throw new ExtCertPathValidatorException("Unable to encode X500 principal.", e);
            }
        }
        if (holderPKCs.isEmpty()) {
            throw new CertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found.");
        }
    }
    // verify cert paths for PKCs
    PKIXExtendedParameters.Builder paramsBldr = new PKIXExtendedParameters.Builder(pkixParams);
    CertPathValidatorException lastException = null;
    for (Iterator it = holderPKCs.iterator(); it.hasNext(); ) {
        X509CertStoreSelector selector = new X509CertStoreSelector();
        selector.setCertificate((X509Certificate) it.next());
        paramsBldr.setTargetConstraints(new PKIXCertStoreSelector.Builder(selector).build());
        CertPathBuilder builder = null;
        try {
            builder = CertPathBuilder.getInstance("PKIX", WeGooProvider.PROVIDER_NAME);
        } catch (NoSuchProviderException e) {
            throw new ExtCertPathValidatorException("Support class could not be created.", e);
        } catch (NoSuchAlgorithmException e) {
            throw new ExtCertPathValidatorException("Support class could not be created.", e);
        }
        try {
            result = builder.build(new PKIXExtendedBuilderParameters.Builder(paramsBldr.build()).build());
        } catch (CertPathBuilderException e) {
            lastException = new ExtCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", e);
        } catch (InvalidAlgorithmParameterException e) {
            // must be a programming error
            throw new RuntimeException(e.getMessage());
        }
    }
    if (lastException != null) {
        throw lastException;
    }
    return result.getCertPath();
}
Also used : LinkedHashSet(java.util.LinkedHashSet) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) CertPathBuilder(java.security.cert.CertPathBuilder) X509CertSelector(java.security.cert.X509CertSelector) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) PKIXExtendedBuilderParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedBuilderParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) Iterator(java.util.Iterator) CertPathBuilder(java.security.cert.CertPathBuilder) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) X509CertStoreSelector(com.github.zhenwei.provider.x509.X509CertStoreSelector) IOException(java.io.IOException) DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint) CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint) PKIXCertStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCertStoreSelector) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException) ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException) PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters) X500Principal(javax.security.auth.x500.X500Principal) NoSuchProviderException(java.security.NoSuchProviderException) X500Principal(javax.security.auth.x500.X500Principal) Principal(java.security.Principal)

Example 5 with X509CertStoreSelector

use of com.github.zhenwei.provider.x509.X509CertStoreSelector in project LinLong-Java by zhenwei1108.

the class LDAPStoreHelper method getCACertificates.

/**
 * Returns CA certificates.
 * <p>
 * The cACertificate attribute of a CA's directory entry shall be used to store self-issued
 * certificates (if any) and certificates issued to this CA by CAs in the same realm as this CA.
 * </p>
 *
 * @param selector The selector to find the certificates.
 * @return A possible empty collection with certificates.
 * @throws StoreException
 */
public Collection getCACertificates(X509CertStoreSelector selector) throws StoreException {
    String[] attrs = splitString(params.getCACertificateAttribute());
    String[] attrNames = splitString(params.getLdapCACertificateAttributeName());
    String[] subjectAttributeNames = splitString(params.getCACertificateSubjectAttributeName());
    List list = certSubjectSerialSearch(selector, attrs, attrNames, subjectAttributeNames);
    Set resultSet = createCerts(list, selector);
    if (resultSet.size() == 0) {
        X509CertStoreSelector emptySelector = new X509CertStoreSelector();
        list = certSubjectSerialSearch(emptySelector, attrs, attrNames, subjectAttributeNames);
        resultSet.addAll(createCerts(list, selector));
    }
    return resultSet;
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) X509CertStoreSelector(com.github.zhenwei.provider.x509.X509CertStoreSelector) ArrayList(java.util.ArrayList) List(java.util.List)

Aggregations

ArrayList (java.util.ArrayList)10 List (java.util.List)10 HashSet (java.util.HashSet)9 Iterator (java.util.Iterator)9 Set (java.util.Set)9 X509CertStoreSelector (com.github.zhenwei.provider.x509.X509CertStoreSelector)7 X509Certificate (java.security.cert.X509Certificate)7 IOException (java.io.IOException)6 CertPathBuilderException (java.security.cert.CertPathBuilderException)6 X509CertStoreSelector (org.bouncycastle.x509.X509CertStoreSelector)6 Collection (java.util.Collection)5 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)4 CertPathBuilderResult (java.security.cert.CertPathBuilderResult)4 ExtendedPKIXBuilderParameters (org.bouncycastle.x509.ExtendedPKIXBuilderParameters)4 CertPathBuilder (java.security.cert.CertPathBuilder)3 CertPathValidatorException (java.security.cert.CertPathValidatorException)3 PKIXCertStoreSelector (com.github.zhenwei.provider.jcajce.PKIXCertStoreSelector)2 PKIXExtendedBuilderParameters (com.github.zhenwei.provider.jcajce.PKIXExtendedBuilderParameters)2 PKIXExtendedParameters (com.github.zhenwei.provider.jcajce.PKIXExtendedParameters)2 X509CertPairStoreSelector (com.github.zhenwei.provider.x509.X509CertPairStoreSelector)2